Tuesday, January 12, 2010

China hacks Google =UPDATED=

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.

We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more here about our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this U.S. government report (PDF), Nart Villeneuve's blog and this presentation on the GhostNet spying incident.

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. In the last two decades, China's economic reform programs and its citizens' entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that "we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China."

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

+++++++++++++++++

Doesn't it look like they know that the Chinese government is behind all this? And that the decision to operate Google.cn openly is a response to that? Good work, Google. Now that you've talked the talk, walk the walk.

UPDATE: The New York Times has more:

Google did not publicly link the Chinese government to the cyber attack, but people with knowledge of Google’s investigation said they had enough evidence to justify its actions.

A United States expert on cyber warfare said that 34 companies were targeted, most of them high-technology companies in Silicon Valley. The attacks came from Taiwanese Internet addresses, according to James Mulvenon, an expert on Chinese cyberwarfare capabilities.

Mr. Mulvenon said that the stolen documents were sent electronically to a server controlled by Rackspace, based in San Antonio.

“For Google to pull up stakes and basically pull out China, the attack must have been large in scope and very penetrating,” Mr. Mulvenon said. “This attack highlights the fact that cyberwarfare has basically gone to the next level.”

Note again the abuse of Taiwan -- the attacks originated from here, just as China used Taiwan firms to send nuke tech to Iran. It's obvious that at least one payoff China is hoping for is western ire at Taiwan.

Hope the local papers give this wide publicity.

UPDATE II: "call me cynical, but would google be this principled if their China business were #1 and doing well?"(post to niubi)

There are a lot of comments from "knowing" expats that Google is just doing this because it is losing market share to Baidu. While true, it still commands a ~20% share and losses among users who actually spend money appear to be smaller (20% of China's educated internet users is bigger than many countries where Google dominates). But both that article and Google's 2006 blogpost say that they are in China for the long haul. Moreover, the post shows that Google has always been cognizant of the human values involved in investing in China.

The cynicism of "it's all about market share", and all such uses of cynicism as an analytical stance rather than as an emotional response, is really just a mask for an ideology of power that shills for China (and all forms of authoritarian power). By treating Google as the active agent, and China as the passive recipient of Google's action, it takes China's theft and spying activities, its authoritarian regime, its murderous, thuggish ways, as constants, like gravity, something part of the environment, but something which need not explain itself nor account for its actions. In the cynical formulation, "power" just is and has no moral agency of its own. Hence the spotlight is always focused on those who take action, "exposing" their hypocrisy. By putting the spotlight on Google, the cynics remove it from China -- but it is China that has acted evilly here, not Google.

So call me cynical, but would all those China expats be so quick to leap on Google if they lived outside China?

In response to the US arms sales, China tests new anti-missile system, but no details are given. I just bought a Porsche, but I'm not showing you any pictures nor telling you where I bought it or how much I paid or which model it is. You'll just have to believe me. And then there is the timing. "Comrade! The Yanqui bastards have sold more arms to Taiwan!" "Quick, we must test our anti-missile systems!" "But comrade, it takes weeks to arrange the test vehicles and set up the equipment."

_______________________[Taiwan] Don't miss the comments below! And check out my blog and its sidebars for events, links to previous posts and picture posts, and scores of links to other Taiwan blogs and forums!

22 comments:

Anonymous
said...

If I recall, there was a great deal of concern over Google's move to enter the China market. Google jumped in, caution to the wind, with the usual platitudes on how "we" are going to change "them". This has been the West's idea for some time. "If we just put our ethics aside our superiority will change them and tame them and make them into a mature, democratic country." These efforts always fail and we are left with nothing but analogous tales of gradualist dreams.

Computer security, upgrading of basic internet infrastructure, open source and open standards to break the abusive Microsoft monopoly, transparent government--yet another medium sized issue that gets completely lost in the political debate in Taiwan because of China. DPP, want to pick a couple of easy percent of votes?

This Google issue calls to mind Frank Ching's latest piece, entitled "Feared, Not Revered." The story is about Liu Xiaobo, but the conclusion is just as relevant to the Google story:

China seems to feel that it can safely disregard international opinion now that it has become one of the world's leading economic powers. But, it needs to learn that might does not make right.

And while its rise may cause it to be feared, it will not cause it to be liked.

Ching notes that the Liu issue has harmed China's image in the diplomatic circles by reemphasizing the issue of Chinese human rights violations. I would add that this hacking problem, along with the Rio Tinto arrests, seems to have harmed China's image in business circles. Moreover, according to AFP, Belgium's Karel De Gucht, who is Europe's incoming trade commissioner, has just stated that, regarding China's undervalued currency, "It is clear to me that this is a deliberate policy and we should address this on all possible occasions, bilaterally and also multilaterally." Last but not least, out of the US this week comes revelations that up to 12 percent of China-made children's jewelry tested by an AP-organized lab contains dangerous levels of cadmium. For consumers, this has once again highlighted the issue of the questionable safety of Chinese products.

Now let's consider the missile test. You can be sure that Japan and India are not too happy at the moment, and the US military is probably a little vexed.

You note that little information has been revealed about the test. Nevertheless, a Pentagon spokeswoman says that they have evidence that a successful missile test was indeed conducted. Meanwhile, the Pentagon and at least one Chinese academic from Peking University agree that this was probably not really in response to the Taiwan arms deal due to the fact that, as you note, such a missile test takes time to prepare for. Yet the Chinese will have no problem portraying the missile test as Taiwan-related. They are surely hoping to pressure the Obama administration not to offer a larger package of arms to Taiwan early this year. Will Obama get cold feet over this larger arms deal as a result of Chinese pressure? One can hope not.

To tie all of this together, I will say that the Chinese government almost seems to be trying to cultivate an "evil empire" image. In human rights, trade and military matters, the message from Beijing seems to be more and more that China will do what it wants to do rather than working as a partner to other countries.

The US has been accused of disregarding the views of other countries in the past decade, but the US had a huge store of soft power to burn through, which has slightly cushioned the impact of such accusations.

Could the Chinese become the world's new punching bag? If so, it would certainly be an unintended consequence of Beijing's hasty push for influence.

I can understand the justification for Google to set up shop in China. Gmail was probably a more secure form of email than anything else you could get there… it’s taken a huge attack to just barely compromise it, which is/was good news for activists. So I don’t blame Google for being there in the first place. I hear they’ve actually turned off their filters already, which means they’re serious about being ready to leave. I hope many Chinese do all the forbidden research they can before that situation changes.

I don’t understand cyber attacks well enough to understand how Taiwanese resources may have been used – anyone?

...but it turns out it's one of those cheap Chinese tricks everyone in the online security industry knows about, so no harm there.

Anyway, good for Google!!! This is the closest thing to a declaration of war on China that any country or organization has done. To actually come out against the China bandwagon and say "it's not worth doing business with you if you keep screwing me, no matter what (potential) market you have" takes balls. Lots of balls.

Hopefully this becomes another one of Google's market changing innovations that other companies will take notice and follow.

The thing about market share is that 25% is not insignificant. It's actually pretty impressive, you just have to ignore the cynicism and put it into perspective.

Smartphones - Blackberry and Iphones only have approximately 20% market share each. Do you see RIM or Apple saying "hey we only have 20% of the market share, so let's stop making phones"?

Fast Food - Macdonalds only has 19% of the fast food market share in the US. Do you see them pulling out of fast food too because "they lost" to YUM (Pizza hut, KFC)?

Cars - Toyota only has 18% of the market share for US cars. GM has 19, and Ford has 16. Should Toyota pull out of the US?

Soft Drink - Pepsi only has 31% of market share. Coke has 42%. So Pepsi has failed?

Any of the cynics would be happy with the ~20% market share for Apple, RIM, MacDonalds, Pepsi and Toyota, and consider them to be successful businesses. But somehow 20% is a failure for Google in China.

Brace yourselves for patriotic anti-Google demonstrations by legions of perfectly programmed mao-bots studying or living overseas: "Google.com.cn is, always has been and always will be subject to and governed by the regulations of the glorious People's Internet of China!"

niubi is retarded. 20% in China is so huge! It's a rapidly growing market! And its absolute maximum potential is four times the size of the US market, already the largest in the world.

Google loses a lot by not being in China (if users can find a way to get around China's GFW, they have full access to Google still). But China loses a lot from Google not investing in China. Google is a very special company doing things that are very sophisticated and that Google's soon to be non-existent Chinese engineers won't be learning about. Thats going to be a huge blow to China's technology sector, IMO.

"But China loses a lot from Google not investing in China. Google is a very special company doing things that are very sophisticated and that Google's soon to be non-existent Chinese engineers won't be learning about. Thats going to be a huge blow to China's technology sector, IMO." Anon 3:46 P.M.

Great comment! I hope everyone at Google and at other companies, as well as in the foreign affairs departments of all free countries worldwide take these things into serious consideration, so that China no longer gets the free ride it's been given thus far.

The more I read about this, the more interesting it appears. To respond to the cynics and their detractors, I would only say that Google is certainly making this announcement following an analysis of their business prospects. Company executives may feel that the positive press that is generated for them in the rest of the world will give them a one-up on their competitors in other markets. Despite its 20 percent market share in China, the revenue from China business still makes up only a small portion of Google's worldwide total revenue. Google's executives may have decided that they have little to lose. Stand up to China and they gain positive press worldwide, and quite possibly some disenchanted Yahoo and Microsoft customers in many other markets. And if China capitulates somehow (unlikely), Google will get to stay in China and have the benefits of a better reputation worldwide.

What I don't understand is why the cynics are so critical. China's censorship is a curse. What is wrong with an IT company saying that it plans to align its business interests with the wishes of the public at large?

Moreover, cynics tend to overlook the manner in which Google has gone about this. Google could have protested quietly. Instead, the company spearheaded what can only be called an attack on the Chinese authorities. And it seems that the State Department (Hilary Clinton no less) and a few human rights orgs chimed in in support within 24 hours. The Chinese authorities have been simultaneously broadsided by the American business and diplomatic communities. This will effectively bury the news of China's missile tests along with the domestic orgiastic media celebration of China's military.

Ask yourself: What is the discussion currently going on behind closed doors in Beijing? We can only imagine...

What did Google expect? My cynicism for Google will be diminished when they actually pull out of China (since China is certainly not going to agree to an uncensored search engine). This cynicism, I may add, does nothing to lesson the culpability of this whole affair. U.S. corporations (and international corporations for that matter) should not give China the benefit of the doubt, in other words....

@carlos - how it's done (one possible approach, anyway):* first you infect large numbers of PCs via viruses or trojans so that they can be controlled from the outside* this forms a bot-net which you can centrally control* you now upload a program to these PCs - this program can go through a list of user names you are interested in and (pretty much randomly) generates passwords for each account and checks if gmail lets them log in* since you have a large number of PCs, user names and passwords, eventually you'll get a match on one of them - if you have a match you upload it to some website, post it on an IRC channel or something like that

After a while you get a large database of usernames and passwords.

If the attack is sophisticated they won't try too often and too fast from the same machines, so the admins don't notice anything unusual. After all everyone mistypes their password sometimes.

Apparently they weren't sophisticated enough - maybe Google saw that they'd get a lot of unsuccessful login attempts from IP addresses which are not in the geographical range where the user would successfully log in.

After that Google probably identified the program which was used on the botnet - maybe found out from where it was controlled. (Could be an IRC channel.) Then they would see which tasks it was given and thus they'd also find out which other companies were targeted.

This is just one possible scenario, there are many other ways in which this could be done or in which the attack could be detected.

Just to be clear, Taiwan has a serious information security problem. Using Windows without updates, sometimes because it's pirated, is a seriou, serious issue. You can't fake IP addresses. You can attack computers, take over control, and launch your attacks from them (hiding the true origin).

What I don't understand is why the cynics are so critical. China's censorship is a curse. What is wrong with an IT company saying that it plans to align its business interests with the wishes of the public at large?

IT security consultancy Sophos said the number of companyfocused internet attacks was doubling each year, potentially costing companies billions of pounds through piracy, spying, sabotage and blackmail.

Photos on this blog are hosted by Flickr. I used to enthusiastically recommend Flickr but the new site changes have grievously impaired its usefulness. My current recommendation: find another photo host. My photos at Flickr. Just click on any photo to be taken to its Flickr page to view it in larger size.